fix: token refresh and seed tree visibility

Fix broken JWT token refresh that caused "Failed to load trees" after
idle timeout. The refresh endpoint expected token as query param but
frontend sent it as Authorization header. Added proper dependency
(get_refresh_token_payload) and refresh queue to handle concurrent 401s.

Also fix seed trees not being visible to non-admin users by updating
the seed script to set is_public/is_default on existing trees.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/deps.py

@@ -49,6 +49,20 @@ async def get_current_user(
     return user
 
 
+async def get_refresh_token_payload(
+    token: Annotated[str, Depends(oauth2_scheme)]
+) -> dict:
+    """Extract and validate a refresh token from the Authorization header."""
+    payload = decode_token(token)
+    if payload is None or payload.get("type") != "refresh":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid refresh token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return payload
+
+
 async def get_current_active_user(
     current_user: Annotated[User, Depends(get_current_user)]
 ) -> User: